Maybe someone can help me to better understand Parse's ACL mechanism by confirming/refuting the following scenario:
If this is correct, I consider it a security issue. Is there a way to prevent client-side changes to the ACL of an object so I can manage the ACL entirely in Cloud Code?
EDIT: As pointed out by Mazel Tov, one way of dealing with this issue is to prohibit any direct client access and instead only use Cloud Code (with master key overriding) to access the data. I don't consider that a viable solution because this approach gives up most of Parse's benefits. ACLs are a great means of controlling access rights, but -- at least in some usage contexts -- giving clients the power of overriding these settings seems dangerous.
So for me the question remains: if Parse's ACLs theoretically allow any user with Write access for an object to manipulate the access rights of all other users, does nobody else see this as a security problem?
For others in a similar situation: I did not find a solution to this problem (at least to me it is a problem, not an "opportunity"), so I ended up using ACLs for controlling read access only (all write access is private), and running my own server-side permission system with lots of Cloud Code functions for all kinds of write access.